maintainer: This field marks who is responsible for the permissions.json file, and accompanying Dockerfile. It does NOT mark who is responsible for the image itself.

Ex:

,"maintainer":"Timothy Hobbs <timothyhobbs (at) seznam dot cz>"

executable: This field denotes the absolute path within the Docker image where the given image’s executable resides. This value is optional. if it is not present, than the subuser image cannot be run (but may be depended upon by other subuser images).

Ex:

,"executable":"/usr/bin/vim"

Default: The image has no executable and cannot be run(but it can be depended upon, as a library).

entrypoints: This optional feild allows you to add “entrypoints” to your subuser. These are executables that can be added, if the user so wishes, to the PATH on the host system. This is a dictionary which maps “desired name on host” to “path within subuser image”.

basic-common-permissions: This flag allows you to enable a set of basic, safe, and common permissions without having to list them individualy. The basic common permissions are:

stateful-home

inherit-locale

inherit-timezone

If any of the basic common permissions are also set, their value over-rides this value. For example, if stateful-home is explicitly set to false but basic-common-permissions is set to true, stateful-home is false.

stateful-home: Changes that the subuser makes to it’s home directory should be saved to a special subuser-homes directory.

Default: false

inherit-locale: Automatically set the $LANG and $LANGUAGE environment variable in the container to the value outside of the container. Note: You do not have to set this if you have set basic-common-permissions.

Default: false

inherit-timezone: Automatically set the $TZ environment variable in the container to the value outside of the container. Give the sub user read only access to the /etc/localtime file. Note: You do not have to set this if you have set basic-common-permissions.

privileged: Should the subuser’s Docker container be run in privileged mode?

Warning

Completely insecure!

Default: false

run-commands-on-host: Should the subuser be able to execute commands as the normal user on the host system? If this is enabled, a /subuser/execute file will be present in the container. Any text appended to this file will be piped to /bin/sh on the host machine.

last-update-time: This field records the last time the image, or it’s Dockerfile were known to be updated. The purpose of this field is telling subuser if a image has been updated and must be re-installed. It is important that this string be comparable with python’s built in string comparison algorithm.